Rewrite HKDF_expand().

Simplify overflow checking and length tracking, use a CBB to handle output
and use HMAC_CTX_new() rather than having a HMAC_CTX on the stack.

ok tb@

Hide symbols in hkdf, evp, err, ecdsa, and ec

(part 2 of commit)

ok jsing@

Avoid a potentially overflowing check

This doesn't actually overflow, but still is poor style.

Speaking of which: this is now the second time I get to fix something
reported by Nicky Mouha by way of a blog post. The first time was the
actual SHA-3 buffer overflow in Python where it is not entirely clear
who screwed up and how. Hopefully next time proper communication will
happen and work.

ok jsing

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Include evp_locl.h where it will be needed once most structs from
evp.h will be moved to evp_locl.h in an upcoming bump.

ok inoguchi

Add a mostly empty hmac_local.h. HMAC_CTX and a few other things
from hmac.h will be moved there in an umpcoming bump. Include this
file where it will be needed.

ok inoguchi

Remove unused #include <assert.h>.

This is from upstream where there is an assert() that EVP_MD_size(digest)
matches the length returned by HMAC(). We avoid asserts in our libraries.

From Martin Vahlensieck

A touch of style(9)

OK tb@ tedu@

Use explicit_bzero() to clear key material

OK tb@ tedu@

Add missing $OpenBSD$ tags.

Bring in HKDF, from BoringSSL, with regress tests modified to be
in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@

Hide symbols in hkdf, evp, err, ecdsa, and ec

(part 2 of commit)

ok jsing@

Avoid a potentially overflowing check

This doesn't actually overflow, but still is poor style.

Speaking of which: this is now the second time I get to fix something
reported by Nicky Mouha by way of a blog post. The first time was the
actual SHA-3 buffer overflow in Python where it is not entirely clear
who screwed up and how. Hopefully next time proper communication will
happen and work.

ok jsing

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Include evp_locl.h where it will be needed once most structs from
evp.h will be moved to evp_locl.h in an upcoming bump.

ok inoguchi

Add a mostly empty hmac_local.h. HMAC_CTX and a few other things
from hmac.h will be moved there in an umpcoming bump. Include this
file where it will be needed.

ok inoguchi

Remove unused #include <assert.h>.

This is from upstream where there is an assert() that EVP_MD_size(digest)
matches the length returned by HMAC(). We avoid asserts in our libraries.

From Martin Vahlensieck

A touch of style(9)

OK tb@ tedu@

Use explicit_bzero() to clear key material

OK tb@ tedu@

Add missing $OpenBSD$ tags.

Bring in HKDF, from BoringSSL, with regress tests modified to be
in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@

Avoid a potentially overflowing check

This doesn't actually overflow, but still is poor style.

Speaking of which: this is now the second time I get to fix something
reported by Nicky Mouha by way of a blog post. The first time was the
actual SHA-3 buffer overflow in Python where it is not entirely clear
who screwed up and how. Hopefully next time proper communication will
happen and work.

ok jsing

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Include evp_locl.h where it will be needed once most structs from
evp.h will be moved to evp_locl.h in an upcoming bump.

ok inoguchi

Add a mostly empty hmac_local.h. HMAC_CTX and a few other things
from hmac.h will be moved there in an umpcoming bump. Include this
file where it will be needed.

ok inoguchi

Remove unused #include <assert.h>.

This is from upstream where there is an assert() that EVP_MD_size(digest)
matches the length returned by HMAC(). We avoid asserts in our libraries.

From Martin Vahlensieck

A touch of style(9)

OK tb@ tedu@

Use explicit_bzero() to clear key material

OK tb@ tedu@

Add missing $OpenBSD$ tags.

Bring in HKDF, from BoringSSL, with regress tests modified to be
in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Include evp_locl.h where it will be needed once most structs from
evp.h will be moved to evp_locl.h in an upcoming bump.

ok inoguchi

Add a mostly empty hmac_local.h. HMAC_CTX and a few other things
from hmac.h will be moved there in an umpcoming bump. Include this
file where it will be needed.

ok inoguchi

Remove unused #include <assert.h>.

This is from upstream where there is an assert() that EVP_MD_size(digest)
matches the length returned by HMAC(). We avoid asserts in our libraries.

From Martin Vahlensieck

A touch of style(9)

OK tb@ tedu@

Use explicit_bzero() to clear key material

OK tb@ tedu@

Add missing $OpenBSD$ tags.

Bring in HKDF, from BoringSSL, with regress tests modified to be
in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@

Include evp_locl.h where it will be needed once most structs from
evp.h will be moved to evp_locl.h in an upcoming bump.

ok inoguchi

Add a mostly empty hmac_local.h. HMAC_CTX and a few other things
from hmac.h will be moved there in an umpcoming bump. Include this
file where it will be needed.

ok inoguchi

Remove unused #include <assert.h>.

This is from upstream where there is an assert() that EVP_MD_size(digest)
matches the length returned by HMAC(). We avoid asserts in our libraries.

From Martin Vahlensieck

A touch of style(9)

OK tb@ tedu@

Use explicit_bzero() to clear key material

OK tb@ tedu@

Add missing $OpenBSD$ tags.

Bring in HKDF, from BoringSSL, with regress tests modified to be
in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@

Remove unused #include <assert.h>.

This is from upstream where there is an assert() that EVP_MD_size(digest)
matches the length returned by HMAC(). We avoid asserts in our libraries.

From Martin Vahlensieck

A touch of style(9)

OK tb@ tedu@

Use explicit_bzero() to clear key material

OK tb@ tedu@

Add missing $OpenBSD$ tags.

Bring in HKDF, from BoringSSL, with regress tests modified to be
in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@

A touch of style(9)

OK tb@ tedu@

Use explicit_bzero() to clear key material

OK tb@ tedu@

Add missing $OpenBSD$ tags.

Bring in HKDF, from BoringSSL, with regress tests modified to be
in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@

Add missing $OpenBSD$ tags.

Bring in HKDF, from BoringSSL, with regress tests modified to be
in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@

Bring in HKDF, from BoringSSL, with regress tests modified to be
in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@